Chronic Dev Blog

If you have a 3G[s], get the ECID+ibss30 sig file from PurpleRa1n now. Seriously, do it _as soon_ as you possibly can.

Link: Here
Instructions: Here

Read

I am simply making this post because “ohay 24k” rhymes more than “and it shall be pwned for life”, but nobody else agreed

My iPhone 3G has been sold. Thanks for the offers!

We saw a nice presentation of the 3.0 software and the new iPhone 3G[s] today at WWDC. 3.0 Gold Master has been seeded to developers and will be released to everyone on June 17, with the iPhone 3GS coming out June 19. We are prepared, and in the process of getting the needed patches as usual. I highly do not recommend any quickpwn dot com or russian jailbreaks, as WinterBoard and anything that uses MS will not work. WIth our patch set, it will work fine.

As for the iPhone 3G[s], as much as I would love to, I cannot buy one and help jailbreak it as I had hoped. AT&T is taking the “no-vaseline” approach and decided it would be just dandy to charge people with an iPhone 3G right now, $600 for the new 3G[s]. This is incredibly stupid, and I hope they go bankrupt. That is all I have to say on that front. Hopefully, since a majority of the iPhone Dev Team is in Europe, they will have better luck. I’ll still help where I can, but it will not be easy if I do not actually have the device. Anyone care to donate one?

Stay tuned, 3.0 is only a week away!
- chronic

Hey all, just posting to tell you all that we are indeed still alive. Just a few notes:

- The iPod touch 2G is still easily jailbreakable provided that the 24kPwn payload is attached, even in 3.0. People who are worrying about this should not be, especially after some users of iPod touch Fans took matters into their own hands and made their own homebrew tethered jailbreak for 3.0.
- If you have been living under a rock and did not yet know, Cydia is now compatible with 3.0, and while we still do not endorse using unofficial bundles, we can say that it is /much/ more stable when using Cydia versus Icy, which seems to break a lot of stuff.
- WinterBoard and such are currently not working because some stuff in the kernel has been changed by Apple. QuickPwn uses an automatic search-and-patch mechanism, and the whole reason that these unofficial bundles are possible is because the bytes it searches to patch codesign checks is still the same, while the other patch that allowed programs such as WinterBoard and MobileSubstrate to run had it’s “magic bytes” changed.
- There will not be another blog post until the official release of 3.0 and the next generation iPhone, as to retain whatever respect is left for the Developer Program NDA.
- Somewhat of a derail, but team member westbaer just had his App Store application approved after a long battle with Apple over denials of it. It is called fmylife.
- After a bit of twitter confusion on the expiry date, I put this together with a few lines of php. If you know your way around lockdownd, plop the hardcoded epoch in here and it will output the expiration date of the beta build. Example: Beta 5 will expire on June 19, 2009.

See you all in the summer,
-chronic

In case you have not heard already, planetbeing has created a command line tool to administer our 24kPwn exploit for Mac, Windows, and Linux. You can grab it from the main redsn0w site here.

Current Rev: v0.3

GenPass Source

There seems to have been an unofficial QuickPwn released by an unheard of russian group. I am not stopping you from using it, but here are some warnings and information.

Basically, they just include the decryption keys for the firmware files, and leave the rest up to the QuickPwn auto search-and-find mechanism for finding the patches. The reason for it being a Windows only release is that the Mac version, properly, requires actual patches, which I assume this group does not know how to get or did not bother finding.

Because they don’t include any patches, this will cause some problems…
Unlock: You will need to upgrade to the 3.0 firmware before you use their method, meaning you will get the 4.22 baseband and you will not be able to use it with your carrier if you are unlocked on 2.28 with yellowsn0w right now, nor can you downgrade to an exploitable firmware.
Expiration: They do not patch out the expiration, so have fun with your brick once a new beta is out if it does not leak
iPod touch 2G users: They probably do not understand our 24kPwn exploit, therefore they do not support the iPod touch 2G in their modified QuickPwn.

The best thing to do is to just wait until summer, or stay on release firmwares (2.2.1), but since I know that many will not want to do that, I will just say, you have been warned.

Today, along with an excellent presentation, came the 3.0 “KirkVail” beta firmware. It was put up on the torrents just recently, so I have not had too much time to look into it, but so far it seems that (a) the firmware files are unencrypted, for example, just strip the first 0×30 bytes and there you have it, and (b) there is a new tag called TYPE. It is not “too” much use, but just tightens the vicegrip on our balls, so to speak. It does not really make much sense, since the fourcc at 0×10 of the img3 header could just be used, but the point of it is to assure that you are loading what you should be loading, for example, iBEC with the “go” command, the kernel and ramdisk with the bootx command, etc.

Since I know everyone is eager to upgrade, I must stress that you should wait until a new PwnageTool comes out if you want any jailbroken functionality. It is pretty straightforward to do the patches, as the Img3 files are not even encrypted it seems, but the ASR program does not just store the root filesystem DMG key in plain ASCII anymore, so that could be the one thing that might hold back the devteam on the new bundles.

Also, I would like to be the first to say, “Here we go again!”

Note on downgrading: I have not done any testing myself, but from experience I know they cannot permanently disable you from downgrading. If you downgrade iTunes, and do a DFU restore with the downgraded iTunes, then it will let you go back to 2.x.

Links: Please do NOT share download links to the firmware in the comments.

Jailbreak: There will be no jailbreak for the 3.0 firmware from chronicdev or devteam until final release this summer. You may find half-baked (read: plist thrown together with just keys and IVs of fw files) quickpwn bundles from third-parties, but these are not guaranteed to work, and are definitely not supported by chronicdev or the devteam.

Just to note, anyone that tries to use LogoMe or any applications that have a similar function will fail. The LLB patch using our 24kPwn exploit is a tad different than the way that the normal Pwnage patches are done, so there is no way to make it work even with putting a new FirmwareBundle in it for the iPod touch 2G. I don’t know if there are any similar programs, but if there are, then if the creator is reading this, all that needs to be done is you must make it so the 24kPwn patch is applied directly to the LLB (encrypted) file, versus unpacking / decrypting it then repacking / encrypting it. We do not need to patch the RSA check since our method jumps straight to decrypting and executing LLB when bootrom is parsing it, the bootrom RSA check never gets called this way. If you bought a “Slipstream”, you may or may not have to do things differently due to their sloppy implementation of 24kPwn.

EDIT: I see a lot of people out there saying “THANK YOU CHRONIC!” and thought it was a good idea to point out that many were involved in developing this exploit. Please see here for the credits.

We wanted this out ASAP so NitroKey could make as least money possible off of something we already know so much about and already had fully implemented, saving it for the next iPhone. Anyway, download our patch file and apply it to the LLB in a Pwned(tethered) IPSW. This will apply our 24kPwn exploit to the LLB.

This has been thanks to the hard work of CPICH, chronic, pod2g, ius, posixninja, planetbeing, and co. There was no company involved in this release at all, not even super-man could reverse their obfuscated (and sloppy, mind you) implementation in this amount of time. The only reason we knew was via NOR dumps of some customers as well as some “image list” pastes, which showed they used the segment overflow that we found and were saving. Also, I would like to give special thanks to MuscleNerd for putting the patch up and posting it around to make sure everyone caught wind of it.